The Truth About Security Audits

With so much to lose doesn’t it make sense for the entertainment industry to agree on a single vendor security auditing standard?

Martin Porter, Executive Director

Something is broken in the content security world and nobody has figured out how to fix it. Ask any post house, replicator in town — anyone who’s handling invaluable pre-release content on behalf of the studios, game companies or record labels. They’ll tell you that they are being audited ad nauseum by studios, industry associations, consultantcies, etc. One post house in town told me that it performed over 100 independent security audits last year alone, with serious cost in time, productivity, and auditing fees. There’s CDSA (which I run), MPAA, Microsoft, ISO, plus studios that also conduct their own review of a vendor’s content security procedures. A vendor will successfully gain accreditation or review by one body just to be called the next day for another audit by somebody else.

Don’t get me wrong — security audits are essential. In fact, standards need to get tighter and everyone needs to huddle around best practices and proven solutions that plug the possibility of a costly security breach.

But redundancy simply doesn’t make sense. It costs everyone money. And when it comes to security there’s simply no money to waste — especially with the new front exploding in the world of online piracy that could sink the entire ship if we’re not careful and if we’re not spending our money wisely. Paramount CTO Chris Carey’s presentation on the true cost of Internet piracy at ESCA EDGE last June was a wake-up call for the home entertainment industry. It made it clear that a decade of trying to put disc pirates out of business and making sure that a colorist doesn’t walk out of the post house with your next blockbuster on a hard-drive in his pocket, needs to advance to the equally (and potentially more) pressing issue of pirate cyberlockers aided by search engines and government agencies who drain the value of our Intellectual Property.

Obama had to make a tough decision. How did he hold onto Iraq while he moved resources to Afghanistan? Our industry has to make a similar choice. How do we secure the pre-release media front while we get our head around putting online pirates out of business?

But there’s more — more vendors than ever before to manage, audit and secure. It used to be you only needed to audit your post houses and your replicators — large, well-managed international corporations that already had security systems and risk management policies in place. But the connected world and new, desktop technology tools have led to a proliferation of vendors throughout the world. Captioning is being done by a specialist in his Eastern European home, while music is being mixed in a basement studio in Brooklyn, and game code is being written in the backwoods of the Canadian rockies. How do you audit these remote and often small corporate partners? Electronic Arts CISO Spencer Mott has a solution he describes on page 26 of this Journal.

Consolidated security audits is one way to save. Let’s dump all the standards into a single database, analyze the gaps, delete the overlap and come out with a single checklist that everyone agrees to and that can be executed by a single auditing body that can do the job best in the most cost–effective way. And let’s find an acceptable way to share the findings within the parameters of the law.

Let’s finally clean up our act on this still-essential legacy battle so we can focus resources and energies on the troubles ahead.